Make Dropzone uuid generation more secure

2026-02-05 07:58:32 -06:00 · 2026-01-06 15:48:44 +01:00
parent c1d2bf9623
commit 568f535ba2
6 changed files with 47 additions and 1 deletions
--- a/build/go-generate/minifyStaticContent.go
+++ b/build/go-generate/minifyStaticContent.go
@@ -77,6 +77,12 @@ func getPaths() []converter {
 		Type:       "text/javascript",
 		Name:       "Dateformat JS",
 	})
+	result = append(result, converter{
+		InputPath:  pathPrefix + "js/uuid.js",
+		OutputPath: pathPrefix + "js/min/uuid.min.js",
+		Type:       "text/javascript",
+		Name:       "UUID JS",
+	})
 	return result
 }

--- a/internal/webserver/web/static/js/admin_ui_upload.js
+++ b/internal/webserver/web/static/js/admin_ui_upload.js
@@ -23,6 +23,7 @@ function initDropzone() {
        init: function() {
            dropzoneObject = this;
            this.on("addedfile", file => {
+                file.upload.uuid = getUuid();
                saveUploadDefaults();
                addFileProgress(file);
            });
--- a/internal/webserver/web/static/js/min/admin.min.15.js
+++ b/internal/webserver/web/static/js/min/admin.min.15.js
--- a/internal/webserver/web/static/js/min/uuid.min.js
+++ b/internal/webserver/web/static/js/min/uuid.min.js
@@ -0,0 +1 @@
+function getUuid(){if(typeof crypto!="undefined"&&crypto.randomUUID)return crypto.randomUUID();if(typeof crypto!="undefined"&&crypto.getRandomValues){const e=new Uint8Array(16);return crypto.getRandomValues(e),e[6]=e[6]&15|64,e[8]=e[8]&63|128,[...e].map((e,t)=>(t===4||t===6||t===8||t===10?"-":"")+e.toString(16).padStart(2,"0")).join("")}let t="",e;for(e=0;e<36;e++)if(e===8||e===13||e===18||e===23)t+="-";else if(e===14)t+="4";else{const n=Math.random()*16|0;t+=(e===19?n&3|8:n).toString(16)}return t}
--- a/internal/webserver/web/static/js/uuid.js
+++ b/internal/webserver/web/static/js/uuid.js
@@ -0,0 +1,37 @@
+function getUuid() {
+  // Native UUID, not available in insecure environment
+  if (typeof crypto !== "undefined" && crypto.randomUUID) {
+    return crypto.randomUUID();
+  }
+
+  // CSPRNG-backed fallback
+  if (typeof crypto !== "undefined" && crypto.getRandomValues) {
+    const bytes = new Uint8Array(16);
+    crypto.getRandomValues(bytes);
+
+    // RFC 4122 compliance
+    bytes[6] = (bytes[6] & 0x0f) | 0x40; // version 4
+    bytes[8] = (bytes[8] & 0x3f) | 0x80; // variant 10
+
+    return [...bytes]
+      .map((b, i) =>
+        (i === 4 || i === 6 || i === 8 || i === 10 ? "-" : "") +
+        b.toString(16).padStart(2, "0")
+      )
+      .join("");
+  }
+
+  // If unavailable, Math.random (not cryptographically secure)
+  let uuid = "", i;
+  for (i = 0; i < 36; i++) {
+    if (i === 8 || i === 13 || i === 18 || i === 23) {
+      uuid += "-";
+    } else if (i === 14) {
+      uuid += "4";
+    } else {
+      const r = Math.random() * 16 | 0;
+      uuid += (i === 19 ? (r & 0x3) | 0x8 : r).toString(16);
+    }
+  }
+  return uuid;
+}
--- a/internal/webserver/web/templates/html_admin.tmpl
+++ b/internal/webserver/web/templates/html_admin.tmpl
@@ -163,6 +163,7 @@
 {{ end }}
 	
 	</script>
+        <script src="./js/min/uuid.min.js"></script>

 {{ if .EndToEndEncryption }}
        <script src="./js/min/wasm_exec.min.js"></script>
				`@@ -0,0 +1 @@`
				function getUuid(){if(typeof crypto!="undefined"&&crypto.randomUUID)return crypto.randomUUID();if(typeof crypto!="undefined"&&crypto.getRandomValues){const e=new Uint8Array(16);return crypto.getRandomValues(e),e[6]=e[6]&15\|64,e[8]=e[8]&63\|128,[...e].map((e,t)=>(t===4\|\|t===6\|\|t===8\|\|t===10?"-":"")+e.toString(16).padStart(2,"0")).join("")}let t="",e;for(e=0;e<36;e++)if(e===8\|\|e===13\|\|e===18\|\|e===23)t+="-";else if(e===14)t+="4";else{const n=Math.random()*16\|0;t+=(e===19?n&3\|8:n).toString(16)}return t}